Can`t find NTLMv2 Hash
#1
Good day, everyone.
I try to crack NTLMv2 hash with the help of hashcat. My two virtual machines communictate with each other and authenticate with the help of NTLMv2. I use wireshark to catch all fields of NTLM authentication.


The main structure of the unit to crack looks like that:


Username:: Domain:Challenge:NTLMv2hash(aka HMAC-MD5):blob(entire NTLMv2 response except the HMAC that was in the preceding field)

So, in packets that i watch in WireShark, i can find almost all filed, except NTLMv2hash and the blob (two last field).
Could you please explain me, where to find them, or how should i do in this situation?
#2
In my experience, when I capture an NTLMv2 hash, the output explicitly says that. So maybe you're not capturing them?
#3
I think most people don't use wireshark to capture NTLMv2 (but should be possible), they use some sort of layer 2 attack tools or modified samba services.